Last week we saw an example of the impact of an account hack. On April 23^rd, the official Associated Press Twitter account (@AP) became compromised and sent out the following tweet at 1:07pm ET:

By 1:08pm ET the Dow Jones Industrial Average had plummeted by 150 points, losing more than $137 billion. Market turmoil lasted for approximately 5 minutes before representatives from The Associated Press and the White House confirmed that the tweet was a hoax and a result of the account being hacked. After the hack was debunked, the Dow Jones regained all of its losses; however, the incident casts a spotlight on the influence of robot traders (computers programmed to make stock trading decisions based on real-time data) and the weight of social media updates.

The attack also shows an evolution in the way cybercriminals can exploit technological weaknesses by manipulating social updates from influential accounts or profiles. Now, more than ever, it is imperative that you take an active approach to your online security. Here are a few tips to ensure that your social accounts remain yours:

1. Use Strong Passwords
   Get out of the habit of easily identifiable passwords. Keep in mind that the top 5 online passwords are:
   1. password
   2. 123456
   3. 12345678
   4. abc123
   5. qwerty

   If your password is on the above list or even similar, it’s time to update it immediately. Unsure if your password is strong enough? Run it through Intel’s password tool (plus you could win an Ultrabook!).

1. Change Your Password Often
   Try to change your login passwords at least 2 times a year. A good habit is to sync this up with changing your clocks and smoke detector batteries during the Daylight Savings Time switch. By changing your passwords regularly, you’re limiting the time that a hacker might have access to your account, if it were compromised without your knowledge.

1. Use Different Passwords for Each Site Login
   It can be tempting to use the same password for your Facebook, Twitter, email, online banking etc. accounts—especially if you’re prone to forgetting your passwords. Don’t do it! You should always have a separate password for each website login. At the very least, you should have different passwords for your non-commercial accounts (Facebook, Twitter, etc.) and your online financial accounts. If your passwords are the same and a hacker manages to steal the password for one account, then they now have access to all of your online accounts.

1. Monitor Your Apps and Keep Them Updated
   Having third-party apps connected to your social account can be a huge convenience, by allowing you to quickly log into websites using your social credentials. However, be sure to verify that a site or app is trustworthy before you allow authorization. Routinely check your list of connected apps to ensure you recognize them. Finally, if there are ever updates—accept them! Most app updates address bug fixes and security concerns.

1. Keep Updated on Password Safety Best Practices
   Staying informed of best practices will keep you security savvy. Join us for a Twitter chat on May 7^th at 3pm ET as we discuss password safety with Intel, the Department of Homeland Security and STOP.THINK.CONNECT. Attend the event and participate by using the hashtag #ChatSTC.

If you’re worried about forgetting or losing your passwords, check out our McAfee All Access product. It features the new McAfee SafeKey, allowing you to easily and securely store all of your usernames and passwords to various sites, while also offering one-click logins.

For more on this topic and other security news and events, be sure to follow our team on Facebook and on Twitter at @McAfeeConsumer.

The latest hacker victim is daily deal site LivingSocial, which put more than 50 million customers’ data at risk.  These types of attacks give hackers access to not only customers’ credit card information, but also any personal information stored in databases, such as home address, phone number and email.

These hacks are continuing at an alarming rate and unfortunately, small- and medium-sized businesses (SMBs) are valuable targets for cybercriminals. Hackers count on companies who underestimate their exposure, and more than 75 percent of data breaches in 2011 targeted SMBs. With limited budgets, time and resources, SMBs often tend to overlook the importance of a well-rounded security solution. This puts SMBs at greater risk for an attack.

Now more than ever, SMBs should also be aware of the potentially damaging implications of such hacks. LivingSocial is a prime example. Since SMBs are increasingly looking for new channels to market their goods and services, daily deal sites such as LivingSocial are attractive services since they offer a platform to reach a broader customer base. Unfortunately, these new channels also come with potential risks that can leave SMBs vulnerable. SMBs should think of these daily deal sites as another service provider or another database that they need to secure.

To protect themselves, their business and their customers, SMBs need to enact additional security protocols. Specifically, SMBs should:

1. Ensure any discount outlets they use implement full encryption across all aspects of their customer data

2. Confirm they do not store credit card information in the same database as customer data
3. Verify that discount outlets and digital channels digitally shred customer data once the transaction is completed
4. Require all employees to use their business systems passwords for work purposes ONLY. Employees should not use their work emails or passwords to register on sites such as LivingSocial. Doing so exposes the business to vulnerabilities from hackers who can gain access to sensitive business information from within

But regardless of your opinion – there is no denying that social media is here to stay. In my opinion it makes sense for teachers to embrace it and use it as a way to connect with and enthuse our kids. It’s important to stay relevant in their online world, which both helps us to be a part of that experience and gives us the opportunity to teach them how to use social media in the right way because at the end of the day – social media is the currency of our children’s generation.

Many educators and parents are concerned about the use of social media in schools because of the threat of bullying. However, I believe the best part about using social media in the classroom is that it means the function of these sites is less about pure socialising (where there is a chance bullying behaviour can occur) and more about learning. And I can assure you this is a big positive from a parent’s perspective!

So, how are teachers using it?

• Some teachers (both Primary and Secondary) are setting up class Twitter accounts. Year 5 teacher Bec Spink from Aitkin Creek Primary School in Craigieburn set up a class Twitter account, in consultation with her principal and the class parents. The class has tweeted the Prime Minister and is using the account to converse with students around the world.

• Many schools have created Facebook pages for various subjects and extra-curricular activities. Northern Beaches Christian School in Sydney’s Terrey Hills has Facebook group pages for various subjects such as engineering. Students post photos taken on their mobile phones during lessons and discuss questions and homework with both their classmates and teachers.

• Class blogs are being used by both Primary and Secondary teachers to not only highlight class achievements and activities but give the students an opportunity to publish their work. Kathleen Morris from Leopold Primary School in Victoria has had a class blog since 2008 and uses blogging in most of her classroom activities. In 2012, her class blog won a highly contested international Edublog competition for classroom blogs.

So, if your child teacher wants to create a class blog or even a YouTube channel, take a moment to think about the array of benefits before you say NO. It may just provide the inspiration your child needs to help them develop a lifetime love of learning.

In other words: This is a big deal.

For both Facebook and Apple, the hacks originated in a Java software plug-in. I discussed the importance of Java vulnerabilities earlier in the blog here, and to recap, Java is a programming language and computing platform that runs on practically every device in your home and office. This is also true for large corporations – including Apple, Facebook, and practically every other company you interact with or buy from.

In this case, hackers were able to infect the computers of Apple and Facebook employees when they visited a developer website that was infected with malicious software (malware). This malware was specifically designed to infect Mac computers, something that up until now has been a rare occurrence–especially in high-profile corporate environments like Apple HQ.

And the hack doesn’t stop with Apple and Facebook. In early February, Twitter also reported a breach caused by the same malicious software. Unlike the Apple and Facebook hacks, however, the Twitter breach may have leaked the information of close to 250,000 users. This is particularly troubling when you consider the fact that these are only the reported attacks, and the full scale of the campaign is still unknown.

The Big Picture: What This Means, and What You Can Do About It

I wrote a blog post late last week entitled “Can My Apple Devices Get Hacked?,” and I think we can all now agree that the answer is an absolute yes. This is the first significant attack on corporate Mac computers, and it shows that cybercriminals will continue to invest time and money on the Apple operating system moving forward. But this exploit doesn’t just affect Apple enthusiasts, and Windows owners should note that there is a version that infects PCs as well.

Ultimately, this is a wake-up call for all of us to pay more attention to security and online safety best practices–from the most novice home computer users to seasoned developers at Facebook, Twitter, and Apple HQ.

To protect your home devices (PCs, Macs, smartphones, or tablets) against this attack, we recommend the following steps: 

1. Disable or remove Java from your primary web browser. You can find detailed instructions on how to do this in my previous blog post on the topic, here. Note that hackers are on the lookout for unsuspecting victims typing in search terms like “Java update” or “Java virus,” so use caution when looking for ways to update your software. Here is a link to the actual Java homepage, which also provides instructions on how to update or disable Java from your browser.

2. Install McAfee SiteAdvisor software. This is a free browser plug-in provided by McAfee, and it will help protect your computer if, for example, you type in “Java update” and are led to malicious search results on Google or Bing. McAfee SiteAdvisor is available for both PCs and Macs, and it works by alerting you to risky sites with small rating icons beside your search results.

3. Keep all software up-to-date. Trust me, when a large company like Apple suffers a large-scale attack, they care. Somewhere in a West Coast office, there’s an entire security team awake at 3am working hard to make sure a breach like this is unlikely to happen again. The result is a software update that will probably pop up on your computer, tablet or smartphone within a few days. Do not put this (or any) update off. That 2-minute update could save you countless hours (and a lot of money) as you try to fix your machine and recover lost data.

4. Download security software. I realize that this piece of advice is coming from a security software company–but I mean it. This is the #1 most effective way to protect every device in your home. Solutions like McAfee All Access can protect your PCs, Macs, smartphones, and tablets with the maximum level of protection that can be delivered to each device. In fact, we’re currently running a promotion for 50% off McAfee All Access (you can access the download here), which I urge everyone to take advantage of if you haven’t already installed security software.

For more information on this topic and other emerging threats, be sure to follow our team on Facebook and on Twitter with @McAfeeConsumer.

Of course, you choose option 2. It’s easy, it’s fast, and it’s “secure” based on the third party app’s disclosure statement about how they’ll use your information. You’re in, and all security worries are forgotten as you have fun with your brand new app.

One Problem: An App Never Forgets.

When you clicked “Sign in through Twitter,” you probably assumed the app would have access to certain public information, like your unprotected Tweets and Facebook posts. In fact, most apps include a sign in page that determines what information the program can access: public tweets, followers, etc. But as a security researcher uncovered earlier this week, bugs in the system can give apps access to private information without user approval.

In the case of the specific Twitter bug in question, a third party app leveraged a privacy setting run-around to access private direct messages without explicit user authorization. While Twitter promptly fixed the security flaw, apps that previously took advantage of the loophole were not reset to original permission levels. This means that until you manually revoke permissions in affected applications, your privacy could still be at risk.

How to Reset Twitter App Privacy Settings

If you have any apps on your smartphone or tablet that use Twitter to log in, it takes just two easy steps to make sure privacy permissions are set appropriately:

1. Visit the “Apps” page on Twitter to see all applications that you have authorized to access your account. This page can be found under “Settings” (see the screenshot below).

2. Scroll down your list of authorized applications, and revoke access for any apps you do not recognize, or any that list inappropriate permissions.

- For example, applications you use regularly to send scheduled messages (like TweetDeck), might say “read, write, and direct messages.”However, apps that have no reason to access your direct messages (like games) should only say, “Permissions: read and write.”

3. For more security peace of mind, McAfee All Access with McAfee Mobile Security allows users to easily monitor the privacy access levels of mobile apps, providing automatic reviews and reports while scanning for malicious content.

The Bigger Picture: Why do we log in with Twitter at all?

There’s a larger issue embedded in this story, and it’s an issue of digital identification. Why, in a world where we have just one driver’s license and one passport to identify ourselves internationally, do we still rely on dozens of passwords (or insecure apps like Twitter) for online identification?

It’s an issue I discussed last week in the blog, and one that many companies, McAfee included, are taking very seriously. On one side of the argument, the US government is urging Internet companies to agree upon and adopt a standard, reliable identity-verification system that people can use for any website. We already see examples of this today (like when you log into an app with your Twitter, Facebook, or Google credentials), but the system has not been standardized and is still very insecure.

On the other side, privacy watchdogs have voiced concerns over whether a standardized online identity system would lead to government surveillance, or whether computers are secure enough at any level to be used for these purposes. Smart ID system or not, security vulnerabilities stem from buggy software, and if a user’s digital ID were to be stolen, it could be used to both pose as the user and access all the user’s accounts and data.

The bottom line is that secure ID technology isn’t quite there yet, so it’s still up to you to protect your information when registering for a new website or application. It’s imperative to check security settings on all applications, devices, and social channels (not just Twitter), and you can find a detailed step-by-step for other channels here.

For more on this topic and other important news on consumer threats, be sure to follow us on Twitter @McAfeeConsumer.

There has been a great explosion of chatter in the last day around Anonymous’ “Operation Last Resort” (a.k.a. #OpLastResort).

The entities behind the various “official” communications around this operation have a sense of humor that we must point out (especially because if you don’t catch it, you will end up wiping your disk).

Background

In typical fashion with these events, some data suggests that the whole thing (or at least the leak) is a hoax. Regardless of what data resides in the leaked files, it is apparent that someone is having fun, via the embedded scripts in the USSC site. (See the Update section, below, for details on the Konami scripts.)

Anonymous has infiltrated specific US government systems in response to the “killing” of Aaron Swartz, who committed suicide on January 11. According to various posts and other communication channels, the operation is also tied to Barrett Brown and the law-enforcement actions against him. Ussc.gov (and others) have reportedly been compromised, and various caches of sensitive data have been exfiltrated. The first round is a .rar file (composed of multiple raw downloads). Details on how the compromise or breach took place are not clear or reliable. It is likely (though unconfirmed) that part of the initial intrusion was via SQL injection. Based on phrases in the official videos, RATS or other temporary “leakware” may have existed on compromised systems, and have been subsequently removed by the attackers. Reports suggest that the contents of this leak pertains to various U.S. Supreme Court Justices.

The file set includes an official promo video for the operation, as well as a statement:

"Still there is nothing quite as educational as a well-conducted demonstration...

Through this websites and various others that will remain unnamed, we have been 
conducting our own infiltration. We did not restrict ourselves like the FBI to one 
high-profile compromise. We are far more ambitious, and far more capable. Over the last 
two weeks we have wound down this operation, removed all traces of leakware from the 
compromised systems, and taken down the injection apparatus used to detect and exploit 
vulnerable machines.

We have enough fissile material for multiple warheads. Today we are launching the 
first of these. Operation Last Resort has begun... Warhead-US-DOJ-LEA-2013.AEE256 
is primed and armed. It has been quietly distributed to numerous mirrors 
over the last few days and is available for download from this website now. 
We encourage all Anonymous to syndicate this file as widely as possible.

The contents are various and we won't ruin the speculation by revealing them. Suffice 
it to say, everyone has secrets, and some things are not meant to be public. At a 
regular interval commencing today, we will choose one media outlet and supply them 
with heavily redacted partial contents of the file. Any media outlets wishing to be 
eligible for this program must include within their reporting a means of secure 
communications.

We have not taken this action lightly, nor without consideration of the possible 
consequences. Should we be forced to reveal the trigger-key to this warhead, we 
understand that there will be collateral damage. We appreciate that many who work 
within the justice system believe in those principles that it has lost, corrupted, 
or abandoned, that they do not bear the full responsibility for the damages caused 
by their occupation.

It is our hope that this warhead need never be detonated."

This release is the referred-to “warhead”–specifically “Warhead-US-DOJ-LEA-2013.AEE256.” The “trigger key” referred to in the video is the decryption key for the content. Anonymous also indicated that they will, at some interval, release heavily redacted previews of the decrypted content. As of this writing, these have not emerged. We have, however, seen some fake decryption keys making the rounds.

Now, back to the “humor” that I alluded to earlier in this post. Some of the releases around this operation contain the following handy instructions:

If you did not catch it, at the end that’s an “rm” with force and recursion starting at the root.

What else does this operation entail? It is said that a Twitter-Storm campaign will commence on January 25.

"BEGIN THE MESSAGE OF ATTACK on January 25th at 11:59 PM EST"

Full details on this part of the operation are detailed in some of the groups PADs. This will be an interesting operation to pay attention to during the next few days.

What will the next warheads be? When will we start to see decrypted content from any of the warheads circulating? How will various governments react?

Stay tuned.

Update, January 27

The USSC.gov site is still compromised. A special surprise (via embedded JavaScript) awaits those who  recall some of the old Nintendo/Konami codes. Through a series of keystrokes, a script will let you fly various objects around the page, view fireworks, and more.

Upon execution, the script provides some on-screen controls, and you can even control the various objects (including Nyan Cat) via the arrow keys.

Since then, this area has evolved considerably. Today independent experts are no longer reluctant to predict government-sponsored military and industrial espionage or targeted cyberattacks causing physical damage. Cyberwar and cyberterrorism have become genuine threats.

The experts are now publishing their views. A draft manual outlining how existing international laws can be applied to conflicts in cyberspace was published by Cambridge University Press in September. Prepared by an international group of experts at the invitation of the North Atlantic Treaty Organization Cooperative Cyber Defence Centre of Excellence, the 215-page study “The Tallinn Manual on the International Law Applicable to Cyber Warfare” examines existing international law that allows countries to legally use force against other nations, as well as laws governing the conduct of armed conflict. The rules of conventional warfare are more difficult to apply in cyberspace, making this analysis critical.

In October, the United Nations Office on Drugs and Crime (UNODC) published a report that provides practical guidance to member states for more effective investigation and prosecution of terrorist cases involving the use of the Internet. “The Use of the Internet for Terrorist Purposes” is the first of its kind and was produced in collaboration with the United Nations Counter-Terrorism Implementation Task Force.

Events in the Middle East give us perfect examples of this field: the disclosure of credit card and account details of thousands of Israeli nationals (the UNODC report calls this an act of terrorism), malware targeting a wide range of Israeli government agencies, and a wave of cyberattacks affecting the communication networks on Iranian offshore oil and gas platforms.

On November 14 Internet conflict showed another face: Various media outlets claimed the “first Twitter declaration of war” when the Israeli Defense Forces announced a Gaza operation via a tweet from the @IDFSpokesperson account.

Later, the account confirmed that its first target, Ahmed Al-Jabari of the Ezzidine Al-Qassam Brigades, the Hamas’ military wing, had been killed in the attack. A picture came with the tweet.

More disturbing, another tweet pointed to a YouTube video showing this military operation.

YouTube quickly blocked the video and claimed it violated its terms of service. Nonetheless, the video reappeared yesterday and is now available from a vast number of URLs.

Cyberpropaganda serves not only the Israelis. The Ezzidine Al-Qassam Brigades also have a Twitter account.

They have even directly responded to their attackers, promising revenge.

These recent events demonstrate that Internet is now at the center of many activities, the best and the worst.

And Twitter and YouTube are not the only propaganda vectors. The Israeli army also has a blog, a Flickr account, and a Facebook page.

As for the Ezzedeen Al-Qassam Brigades, their website is now unavailable, perhaps under a DDoS attack.

Twitter, which came into existence barely six years ago, has taken the Internet community by storm. Today the micro-blogging site has over 500 million active users, yours truly being one of those addicts who feels restless if a day goes by without tweeting! I love the fact that there’s so much to discover every day, to discuss, to share- no wonder Twitter generates over 340 million tweets daily!

You know the fun parts of Twitter?

• Post length can’t exceed 140 characters (We are spared from the attacks of the verbose!)
• You get to meet like-minded people whom you would have otherwise never known
• You can offer links to your blogs and get wider audience this way for your business, activities
• It is a more personal way to interact, form groups, keep in touch with friends
• Journalists, businesses, politicians use it widely and you can get to connect with them as well
• Twitter is behind many of the recent social uprisings

So as long as you use the site wisely and responsibly, it offers a window to the world. Now the thing to know is what additional facts should parents know before they allow their kids to go on Twitter:

• Twitter’s policy clearly states that its services are ‘not directed to persons under 13’. However, the site does not take any serious steps to enforce this limit
• Whatever is posted under public settings becomes accessible to all, including direct message (dm). Even people you don’t follow can read your public posts

The red flags:

• Twitter messages are public; and you can’t take back your words, even if you delete them
• Twitter collects data about you and shares it with third parties
• If the company is ever sold, this information can be sold off as an asset
• Advertisers can target users based on their history of their tweets
• The number of trolls is on the rise and they can prove to be really troublesome
• There is no need to seek pre-approval or permission to share any users’ posts. So what you might intend for some to read may go viral, with sometimes unpleasant consequences
• Spammers are already at work. They  spam accounts to direct higher traffic to their websites
• Young people are at a high risk of being influenced by “online groomers“
• Hashtagged comments may backfire as trolls or mischief makers may bend them to suit their ends
• Kids take their beefs (virtual arguments and fights) to the real world, and then it gets ugly

The dangers themselves suggest the remedies and precautions. Kids should play it safe and befriend only a limited few. Moreover, they should make their profiles “by request only”, so that they can choose who they want to interact with. Also educate them on how to identify, avoid and block trolls and abusive people.

One very important thing to keep in mind is that people on Twitter air their personal views and often exaggerate. So kids should under no circumstances believe all that they read.

And remember to keep your security software installed and upgraded. Every time I check out suggested link and my McAfee Total Protection stops me with a bright “WHOA! Do you really want to go there?” message. I am thankful and feel so very secure. Try it, its liberating J

Happy Tweeting, Tweeps…cheep, cheep!!!

I met with key enterprise customers, telecom operators, and partners. I also met with a very knowledgeable journalist from one of the top Russian IT magazines. All these conversations were very enjoyable. Moreover, I was pleased to receive very positive feedback from customers, partners and media about the concept of our holistic security approach with our Security Connected Reference Architecture. My audience was interested to hear from our latest releases, especially our co-developments with Intel and the new protection features we provide for smartphones and tablets. This week, I travelled to the Middle East where I met quite a few key customers. In addition, I attended a Cyber Security Briefing in Saudi Arabia and met with over 50 CIO’s and security executives in the region.  McAfee released its latest Threat Report with Mobile “Drive-by Downloads”, use of twitter for control of mobile botnets, and mobile “Ransomware” counting among the latest trends.

The agenda of the Executive Briefing Center in Amsterdam starts to look pretty packed for the last month of the quarter and starts to fill for October. Customer and partners can experience in real time how attacks behave and spread throughout the Internet. I plan to personally welcome as many customers as possible in the EBC.

Next week I will be travelling to the UK for some exciting new meetings. More to come! Meanwhile don’t forget to stay in touch by following me on my twitter account: @GertJanSchenk

 This quote came from Andy Grove, Intel Co-founder and former CEO.  And, while he said this at an annual meeting in 1998, his philopsophy is timeless.  In my opinion, social networking is at the crux of this inflection point.  Enterprises recognize that they must begin to embrace social networking – with its extraordinary potential– but doing so has its own set of challenges.

 The Gen-Ys entering the workforce have been raised in an instant communication digital age. For them, social media is how they communicate now and how they expect to communicate in the future as business professionals. Corporations that have strict security policies tell me that their ability to hire fresh talent is difficult because they are competing with companies that have a more “open” social media policy.  

 On the flip side, many corporations are leveraging full-blown social media strategies to reach out to their customers. On my own personal Facebook account, I’ve “friended” a number of artists, as well as local and global companies I admire, and it’s evident that it’s one of the most cost effective means of communicating directly with a captive audience. So, doesn’t it seem ironic that the same companies that are using this medium to market their products are the same ones that are locking down their employees’ access to it?

 But let’s be fair.  The businesses that are limiting access to sites like Facebook, Twitter, and Linkedin are simply worried that too much information sharing will result in lost productivity, data leaks, and sometimes a diluted culture. But, even more concerning to IT security people is that the sites most visited by employees are malware magnets that have been exploited by hackers — stealing identities, distributing viruses, and sending spam.  And, the security risks are only getting worse.  

 So where’s the balance?  How do we inject fundamental change into a social fabric that has such strong fibers? I believe the solution is to allow corporations to embrace social media, while providing them with technology that allows them to monitor, or limit, its use. These technologies can also be leveraged to ensure that corporate sensitive information does not inadvertently (or purposefully) leak onto these open platforms.  The McAfee Cloud Security Platform is an option that integrates modules capable of protecting against the worst social networking has to offer, and may be the only way to make today’s security strategic inflection point a positive one.

 McAfee launched this platform last year to protect data to and from the cloud through the major traffic channels: Web, Email and Authentication/Identity – including social media platforms. We’ve continued to innovate and enhance the products included in this platform to secure businesses from growing online threats.  I encourage you to learn more about how the McAfee Cloud Security Platform can help you and your business be protected while allowing social networking to thrive.